Hi I have implemented an application using org.apache.commons.net.ftp.FTPSClient. The application connects to the FTPS server and everything works fine, except that FTPSClient connects to the FTPS server both when I use the hostname and when I use an IP adresss. That is when I connect with FTPSClient.connect(<hostname>) it connects fine. And when I connect with FTPSClient.connect(<IP address>) it connects fine. This is wrong, as it means no hostname verification is going on. That is, the server certificate common name does not have to be equal to the hostname.
I have spend hours trying to figure out how I am supposed to do hostname verification with FTPSClient. Anybody that can help me? Secondly, it seems very dangerous to me that FTPSClient do not do hostname verification per default, as many people don't know about hostname verification and properly use FTPSClient without it. So many people may feel that their application is secure while having a big security hole. Regards, Mads Lindstrøm
